Top 4 Security Holes in Enterprise Networks, shared by Tower FCU's VP of Information Security & ISO


We kicked off our 2021 CxO breakfast club with an engaging presentation from Phil Mellinger, CAMI Advisory Council member and VP of Information Security & ISO at Tower Federal Credit Union. Phil shared his top four "gaping security holes" challenging enterprise networks today. 

1. Inability to Conduct Security Reviews of “Pinned” TLS Traffic Bypassing Decryption

Many enterprises decrypt web traffic, inspect it for security issues, re-encrypt it, and then forward it to their users. However, destination websites that use “certificate pinning” (as defined in Transport Layer Security (TLS) Version 1.3 protocol) prevent inspection of traffic for “privacy” reasons. If the destination website uses “certificate pinning” and the website is not on the enterprise encrypted traffic bypass list, then the enterprise blocks the traffic, thus causing operational issues. If the website is on the bypass list, security cannot inspect the encrypted traffic before the traffic enters the enterprise. The greater the number of bypassed addresses, the higher the risk. Websites hosted on cloud storage systems are more problematic because often the websites can appear anywhere in cloud address space, meaning large address ranges bypassed for millions of unintended websites.

2. Inadequate Defense against Attacks Launched via Malware-infested “Customer” Devices

Despite multiple layers of defense1, enterprises fail to defeat malware attacks launched via customer devices. Enterprises cannot mandate customer devices employ the same controls as enterprises for high-risk devices2 or even ordinary enterprise-owned devices.3 Customers intolerant to “solutions” requiring agents/software on customer devices and enterprises intolerant to constantly updating applications.

Case Study:

“A Massive Fraud Operation Stole Millions from Online Bank Accounts”—crooks used emulators to mimic the phones of more than 16,000 customers and drain millions of dollars from online bank accounts in a matter of days.

  1. The Fallacy of Zero-trust4 and Vendor Software—The Solarwinds Compromise

A likely Nation-State cyberattack (assumedly originating from Russia) infiltrated infrastructures around the globe via vendor-supplied software (SolarWinds) to permit unauthorized access to networked resources. One victim, FireEye, publicly disclosed the cyberattack on Sunday, December 13, 2020. Reports indicate the cyberattack likely began in September 2019. Compromised servers contact resources outside the US, again increasing the difficulty of detecting the attack. While many enterprises have a wide variety of defenses against cyberattacks, none likely detects compromised vendor software. There are likely few if any security assessments accomplished against vendor products—vendor SOC2 reports or Internet-facing security reviews (e.g., BitSight) do not address products. Apparently, impacted organizations across the US (including 425 of Fortune 500 companies, many Federal departments and agencies, and all military branches) are similarly limited since this cyberattack went undetected for a year.

  1. Lemming-like Migration to “Secure” Cloud Solutions

Most believe cloud services are cheaper while “experts” (of the “Garten” variety) advise that no matter what your enterprise security is today, the Microsoft “Ecosystem” will provide better security. Do security staff consider unauthorized access of cloud personnel to information or whether enterprise data might reside outside the US (perhaps in emergencies)? The cloud will likely process a broad spectrum of enterprise information (not the narrow subsets of typical vendors) thereby making cloud services more than just ordinary vendors. Migrating to the cloud likely requires in-house cloud-aware security experts (likely more expensive than those managing on-premise resources).

1Includes device verification, behavioral analysis, dark web monitoring, distributed denial-of-service (DDoS) protection, Time-based One-time Password (TOTP), and Web Application Firewalls (WAF).

2Includes limiting access to device to only approved employees, remove capability for device to connect to the Internet, restrict device to software required to performing function, device software must be vendor-supported and up-to-date, patching must be up-to-date with no critical/high vulnerabilities, approved firewall product must be installed and up-to-date, approved antivirus and antimalware product must be installed and up-to-date.

Includes encrypted storage, mobile device management, next-generation antivirus and whitelisting, device management, data loss prevention, incident management, email security, and vulnerability screening.

4The term Zero-trust is a security ideal that organizations should not automatically trust anything inside or outside its perimeters. In this case, the fallacy is that organizations cannot realistically gain trust in all things.